[wp-trac] [WordPress Trac] #28469: Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)
WordPress Trac
noreply at wordpress.org
Fri Jun 6 16:26:33 UTC 2014
#28469: Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php)
(CVE-2014-2229)
--------------------------+----------------------
Reporter: blackswallow | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses: ui
--------------------------+----------------------
Changes (by nacin):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
When creating this ticket, was "Do not report potential security
vulnerabilities here. See the Security FAQ and contact
security at wordpress.org." not noticeable? Honest question. If you have
JavaScript enabled, you additionally would have needed to click a checkbox
affirming "I am not reporting a security issue — report security issues to
security at wordpress.org".
I'm dealing with this through proper channels to reflect that the issue is
the "WP Login" plugin. That plugin does indeed have a "wp-login.php" file,
unrelated to WordPress core's "wp-login.php" file. Your report doesn't
make it very clear, but WordPress core is not affected by this. I don't
know through what means you requested CVE-2014-2229 but if it is
classified as a vulnerability in WordPress, it will be inaccurate.
For future reference, any plugin issues can be emailed to
plugins at wordpress.org. Had security at wordpress.org been emailed, it would
have been forwarded there.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28469#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list